Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There is hardly a shortage of abrasiveness in the security industry.

That said, I find zero things wrong with OpenBSD's work to make LibreSSL. If anyone doesn't like it, I'll offer them their money back.



I don't think that the first statement is correct. OpenBSD is not nearly so visible as RSA, Norton, Verisign, et. al., and those brands are heavily invested in the theatrical aspects of security to the point of emphasizing appearances over actual security.

The part of the industry that is visible to the general public, and even probably most of the technical community are brands such as those, and you can't trust them. What BSD is doing here is saying, "You know that thing that all of those brands told you [and industry, and the government] is important? It doesn't improve security at all, and so we're going to ridicule the practice so that maybe it will get a stink that travels beyond our tiny realm of influence."

That's more valuable than politeness, because politeness doesn't create a stink, and OpenBSD is not well enough known to effect change without making a stink.

Addendum: To summarize my view of the situation, I think that the reason that a lot of the people that we think of as "good" security people are abrasive is that it's sooo much easier and more profitable to promise security than it is to deliver it. This means that the security industry is overflowing with bullshit and bad information. Since there's so much bullshit, the "good" security people have to be very quick, curt, and categorical about labeling the bullshit since most of us are almost completely incapable of distinguishing bullshit from delicious, nutritious food, and so are all too willing to lap it up. [sorry for the grossness, but I think that this must be what the situation feels like to "good" security people]

[Edit 2:31 PM CDT to add Addendum]

[Edited 2:45 PM CDT for clarity]


> RSA, Norton, Verisign, et. al., and those brands are heavily invested in the theatrical aspects of security to the point of emphasizing appearances over actual security.

I think appearance over function is true ever since politics and advertising were invented.


"Fortunately" (and I don't mean to encourage it), the abrasive people in the crypto community are like that when they tend to be right - and don't want "newbies" to do stupid dangerous mistakes, so their tone comes out a little aggressive by default. But yeah, it could be improved. The community should work together on solving issues the right way.


Fortunately or unfortunately, there are also a reasonable number of abrasive people who tend not to be right, so I'm not sure it's a good marker either way. There's a whole rock-star persona around people who make consulting careers out of trying to position themselves as security badasses, and not all of them are.


I include amongst these, security/network guys that disable ICMP because they read it in a book somewhere.

Leads to a lot of facepalming when you are actually trying to get something done.


Particularly now that ICMP is actually a requirement for IPv6 networks to actually function.


This hits too close too home.


The problem is that being abrasive without displaying a clear, correct opinion won't lead to greater influence. The latter stance is the important bit.

Security projects need adversarial discussions to keep them honest, but that's a special case.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: